DDoS, the cloud and you

Who are you rubbing shoulders with?

Private cloud computing can be a useful way to offload some computing overhead and manage your costs effectively. The switch to operating expenses from capital expenses, the elasticity, the business continuity benefits – they're all real. But so are the dangers of DDoS disaster.

There's a problem with moving your servers and data up to the cloud: it increases your attack surface. Suddenly, you're not the only one at risk from a DDoS attack. The cloud service provider's other customers are too, and that can have implications for you.

In this sense, private cloud is like getting into the same bath as everyone else. Who are you sharing your servers with? No matter whether your environment is collocated, or a single or multi-tenant hosted environment, you may be rubbing shoulders with other companies less salubrious than yours, that draw more attention online. If that attention includes denial of service traffic, your business could suffer.

When a DDoS attack hits the cloud service provider's (CSP) data centre, the traffic may be targeted at a particular tenant, but because the attacker is using the CSP's internet connection to reach that tenant, it will naturally choke off others' traffic, too.

“By the time the traffic gets to you or the customer, that's already being targeted: the damage is already done. It doesn't matter if you filter the traffic at the small end of the funnel. The big end of the funnel is already overflowing,” said Andy Shoemaker, CEO of DDoS research and simulation consulting firm Nimbus DDoS.

This means that if you happen to be sharing a private cloud data centre with the Westboro Baptist church and Anonymous decides to teach it a lesson, there may be some spillover.

The smaller the cloud hosting company, the less likely they are to be able to put up with that denial of service traffic. “When these botnets can go over 100Gbit/sec, unless you are a very large provider, the type of bandwidth [you need to deal with the problem] just isn't around,” said Justin Giardina, CTO of cloud service provider iLand. “So I would probably say: do your homework if you're working with a provider.”

He has a valid point. While DDoS attacks are often small and targeted, the large ones are getting larger. Cisco believes that peak attack sizes are increasing linearly. The biggest attacks in 2013, 2014 and 2015 were 300, 400 and 500 Gbit/sec respectively. It believes that a whale of a DDoS attack like this can slurp up 10 per cent of a country's total Internet traffic. These large attacks are the exceptions, but the number of smaller attacks is also increasing, which intensifies the threat to businesses. Last year’s 6.6 million attacks will grow to 8.4 million this year, more than doubling to 17.4 million in 2020, the firm said. So cloud customers – and their providers – must be ready when attackers roll out the firehose.

“Hosting providers should capitalise on DDoS mitigation as part of their overall managed service offerings – otherwise they could well be allowing harmful traffic to impact their customers. Economically viable solutions to the DDoS problem in hosting provider data centres exist. and they can be put in place to defeat DDoS attacks without undermining or overlooking legitimate users,” said Dave Larson, COO of Corero Network Security.

How cloud providers can respond

What are CSPs doing to mitigate the problem? If an attack on private cloud infrastructure reaches a certain threshold, then the temptation is to throw the customer under the bus and flip the ‘off’ switch on their servers. That isn't the only option, though. There are things that both the CSP and the customer can do.

Cloud-based DDoS mitigation services from companies like Akamai's Prolexic and Cloudflare typically take traffic on its way to a CSP and scrub it, analysing it for suspicious packets that show the characteristics of a DDoS attack before removing them and sending the cleaned traffic on its way. Other hardware-based systems, such as Corero's, are designed to sit between the service provider's own network and its upstream internet providers and analyse traffic, detect the DDoS attack, and mitigate immediately.

This means hosting providers are able to provide customers with protection that ensures sites and applications can remain uninterrupted and unimpeded. Much of this technology will come as standard with certain hosting service packages, capitalizing on the abilities of automation and maximizing efficiency by eliminating the need for human intervention.

DIY problem solving

This is especially true in situations where DDoS attacks focus on applications rather than simply on infrastructure. These attacks tend not to clog a large pipe with layer three and four traffic, but instead target application protocols, tying up an individual tenant's application with requests. “It is much harder to protect from a layer 7 attack. For these, website architecture is key – having different aspects of the website running off separate servers means that the load of traffic is spread so if one area is attacked it can't affect the rest of the site,” said Paul Vlissidis, technical director at global cyber security and risk mitigation expert NCC Group.

“Websites that are designed to handle very high levels of use are likely to be designed in this way, meaning they have the added benefit of being better protected from a DDoS attack,” he continued.

Customers can expand this concept by load balancing across multiple private cloud service providers, explains Nathan Dornbrook, chief technology officer at security consulting firm ECS. Ideally, sign deals with multiple incumbent private cloud providers who are close to your customer base (a UK retailer would choose local ones, potentially at the tier 1 level). Then, when disaster strikes, you can fail over – assuming that your applications are designed to support that kind of resilience.

Ultimately, DDoS is a problem that could be solved with the same level of co-operation that it took to create the Internet, said Dornbrook; it's all about being a responsible citizen. ISPs already have to install a route server to connect to the Internet, he muses. Why not mandate protection against DDoS attacks too?

“You could also tell them that they had to put in inline ingress filtering, and if you did that, you would stop 80-90% of DDoS attacks,” he concluded. There's no doubt that moving to a private cloud provider can increase your attack surface. Taking your own steps to mitigate that risk is part of the process, and may incur extra costs for you. Finding out what DDoS mitigation measures your CSP has in place should also be part of your due diligence process.